Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp854785imu; Wed, 28 Nov 2018 00:11:08 -0800 (PST) X-Google-Smtp-Source: AFSGD/UK2bh5Ld3BrlYZpeO3Ukyl8D6Erby0DIcxBlS3UB9jrTQU16HMEJA3RHayIAb9rDkUSSyb X-Received: by 2002:a17:902:468:: with SMTP id 95mr28615823ple.3.1543392668932; Wed, 28 Nov 2018 00:11:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543392668; cv=none; d=google.com; s=arc-20160816; b=Ib8JWgj/jfnQGGCpnDj3QPn73yfxNf/3YutOOYBtozVjUslp0Msi/euUhfXarFKbOw PZFL3Pcgf5T0yoPjbDTykly+An0qTGpm4ZpAoW3vxBGlys4R62Db1NxDVrwJJimD2oSZ bA53PFxI9bWtUB8NBB0QEWzTGGdt64ZHLcN36xWatsvs/QyQ57Mu2qNsOxQy3ArxP1tn 2Lz4Ngl9p162+D0uG4z992E7qDolC4cWTgAXjTuEvYEmezOHThjNIr789GQw9Ti4P6wH MxfnKrQkr6Z+r3CHV0cXWoWxsQOOWTl+hhs35Q5M9eDdKKB4G/EwHSeNN9QmKT3O0fIc zLcA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=fGF0EvfL4BG/ZpF0fVQPS/2dUAjOs42csNN5iZYV9vo=; b=uxwq9v0+wuAwcQSUk6YMPeKSdtxMwJyNNbAG/+K4tyZr6qHhp17PYg1o2JqdAHfFXT chtnQ+nwGUzd+nRmFU6d9uH0VqUskW1ezGJrbsb9qLg0Wdo3WcSnI3UWA8fX2/Kzf1/4 00SZFRC2SQXlvf55j+sJU+dJTh+1SixJzymVSA8tt6QyPoJAmpe8eVFo3yDBehoFo4GF bzAjventZHe2Yoiq4nEfLRh7xegP1O1ouOJJn8QT70OslSgBtiLO0AKKog8N++I7Hsja 7K+3/L/G3Q6RPoPzM3CPdOl4pVO/GOBA8KeC2acHvHNK37SvG/IR3mp+IP7KPKCUzZ3k qXXw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=m4w0rPHg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u72si6375132pgc.360.2018.11.28.00.10.53; Wed, 28 Nov 2018 00:11:08 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=m4w0rPHg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727775AbeK1TLF (ORCPT + 99 others); Wed, 28 Nov 2018 14:11:05 -0500 Received: from m12-12.163.com ([220.181.12.12]:36587 "EHLO m12-12.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727341AbeK1TLF (ORCPT ); Wed, 28 Nov 2018 14:11:05 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id; bh=fGF0EvfL4BG/ZpF0fV QPS/2dUAjOs42csNN5iZYV9vo=; b=m4w0rPHgWuYYba/eOuK8dw2gR8ko4A6Qt3 fHbthUCWNflNHXLcAXsQoW84ibVaZ3u0vjlt931eYFN7FH6T81kux4zs5MuwHaDQ 69/MbgZnaFHwrSN6yJ7PJA4/yhVzDUi2qVtjo5KqB2IpAEJE2qP8nbQQRonsQhFM 4I1Q/8WO4= Received: from bp.localdomain (unknown [106.120.213.96]) by smtp8 (Coremail) with SMTP id DMCowACnUkFITf5b_eBhCQ--.28506S3; Wed, 28 Nov 2018 16:09:47 +0800 (CST) From: Pan Bian To: Tom Lendacky , "David S. Miller" Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Pan Bian Subject: [PATCH] amd-xgbe: set skb to NULL after freeing it Date: Wed, 28 Nov 2018 16:09:45 +0800 Message-Id: <1543392585-17962-1-git-send-email-bianpan2016@163.com> X-Mailer: git-send-email 2.7.4 X-CM-TRANSID: DMCowACnUkFITf5b_eBhCQ--.28506S3 X-Coremail-Antispam: 1Uf129KBjvdXoWrKr47KFy7ur1rCFy8Kr1fXrb_yoWDZFXE9r yrXa1Uta1DCF1Y9r4YkFsxAryqkw4DurWkXa1Sy3yYy3srJFnxX39Yvrn7Wrn3Ca10yFZ8 GF13KayFy34jgjkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUvcSsGvfC2KfnxnUUI43ZEXa7IU8Q_-JUUUUU== X-Originating-IP: [106.120.213.96] X-CM-SenderInfo: held01tdqsiiqw6rljoofrz/xtbBUQsNclaD0V6JOAAAsO Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The buffer skb is freed via dev_kfree_skb in a loop. skb may be used again in the next iteration, resulting in a use-after-free bug. To fix this, the patch set skb to NULL after dev_kfree_skb(skb). Signed-off-by: Pan Bian --- drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c index 0cc911f..ac6b82d 100644 --- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c @@ -2754,6 +2754,7 @@ static int xgbe_rx_poll(struct xgbe_channel *channel, int budget) netif_err(pdata, rx_err, netdev, "error in received packet\n"); dev_kfree_skb(skb); + skb = NULL; goto next_packet; } @@ -2806,6 +2807,7 @@ static int xgbe_rx_poll(struct xgbe_channel *channel, int budget) netif_err(pdata, rx_err, netdev, "packet length exceeds configured MTU\n"); dev_kfree_skb(skb); + skb = NULL; goto next_packet; } -- 2.7.4